Behind the Octopus: The Hidden Race to Dismantle Global Law Enforcement Privacy Protections

Last month, 360 cyber crime experts from 95 countries gathered in Strasbourg to attend the Octopus Conference. The event sounds like something from James Bond, and when you look at the attendee list—which includes senior figures from the United States Department of Justice, national police forces across the world, and senior figures from companies like Facebook, Microsoft, Apple and Cloudflare—it’s easy to imagine a covert machination or two.

As it happens, Octopus is one of the more open and transparent elements in the world of global law enforcement and cybersecurity. Civil society like EFF and EDRI were invited to speak, and this year it was our primary chance to comment on a new initiative by the event’s organizers, the Council of Europe—an additional protocol to their Cybercrime Convention (also known as the Budapest Convention on Cybercrime), which will dictate how Parties of the Convention from around the world can cooperate across borders to fight Internet crime.

Our conclusion: the Council of Europe (CoE) needs to stand more firmly against a global trend to undermine everyone’s privacy in the pursuit of faster and easier investigations. As conversations at Octopus showed, the many long arms of the world’s law-enforcers are coming for user data, and the CoE needs to stand firm that they obey international human rights, in particular article 15 of the Budapest Convention, when they reach across borders.

The CoE is an international organization that grew out of a post-World War II initiative to build human rights into European decision-making. It’s older and has more members states than the European Union (EU), with which it is often confused (you can blame this confusion on the EU because they poached the original CoE logo for their flag, and even named one of their major institutions “The European Council”).

Nowadays, the CoE (among other roles) acts as a forum for developing international treaties. The organization recently celebrated an update to Convention 108, its 1981 treaty on data protection that was the forerunner of the GDPR.

Currently, the CoE Cybercrime Committee (TC-Y), comprised of State Parties, Observers, and international governmental representatives from around the world, are working on a second additional protocol to the Budapest Convention in order to spell out practices of countries when allowing cross-border law enforcement access to subscriber data held by big tech companies like Google and Facebook, as well as smaller companies and startups. The TC-Y's CoE proposal is part of a general push by governments around the world to speed up and widen access in international criminal investigations to online data held in other countries, most recently seen in the United States’ passing of the CLOUD Act, as well as an E-Evidence draft proposals by the European Union.

We, along with civil liberties groups across Europe and Canada, have been strong critics of the EU and U.S. initiatives, saying that rather than create judicial short-cuts for law enforcement, as these laws would do, countries should seek to put more resources to make the existing mutual legal assistance treaty (MLAT) system, which has built-in protections for privacy, run more effectively.

Some of the proposals introduced at July’s Octopus conference, unfortunately, fit some of these same patterns, such as allowing “direct cooperation with providers across jurisdictions and extending searches to access evidence in the cloud with the necessary rule of law safeguards.” Before Octopus, we, along with EDRi, Access, CIPPIC, IFEX, and a coalition of global civil society organization from around the world, had already expressed our concern with CoE’s TC-Y direction, but it’s been hard to hammer out the details, primarily because civil society is excluded from the CoE’s drafting meetings, which take place a few days before Octopus assembles.

If we’d been in those meetings, we would have highlighted the same problems that have weakened all of these attempts so far:

First, as mentioned before, we continue to question whether such drastic reforms are truly necessary. The existing system of mutual legal assistance among countries certainly needs to be improved—but bypassing MLATs by going directly to service providers for electronic data, as all these new initiatives offer, is not the answer. Considerable procedural and human rights safeguards would be lost in such a move. Instead, civil societyfrom around the worldincluding EFF and EDRI have consistently recommended: offering technical training for law enforcement authorities; simplifying and standardizing data request forms; creating single points of contact for data requests; and most importantly, increasing resources, especially in the United States, where the bulk of the requests end up. We’ve seen this work first-hand: thanks to a recent U.S. MLAT reform program, which increased its resources to handle MLATs, the U.S. Department of Justice has already reduced the amount of pending cases by a third.

Second, if you are going to circumvent MLATs, the replacement protocol needs to cope with some major difficulties in protecting human rights between states. One of the biggest challenges in the CoE TC-Y drafting process—a challenge that was evident in the initial Cybercrime convention itself—is a presumption that signatory parties share (and will continue to share) a common baseline of understanding with respect to the scope and nature of human rights protections, including privacy.

Unfortunately, there is not yet a harmonized legal framework among the countries participating in the negotiations and, more importantly, not a shared human rights understanding.

Experience shows there is a need for countries to bridge the gap between national legal frameworks and practices on the one hand, and human rights standards established by case law of the highest courts on the other. That’s especially true in the digital domain, where key human rights decisions have still not completely propagated globally—or even within their own jurisdictions. For example, the Court of Justice of the European Union (CJEU) human rights held that blanket data retention is illegal under EU law on several occasions. Yet, several EU Member States still have blanket data retention laws, which is a basis for accessing data. Other states involved in the protocol negotiations have implemented precisely the type of sweeping, unchecked, and indiscriminate data retention regime that the CJEU ruled out as well, such as Australia, Mexico or Colombia.

bypassing those critical human rights vetting mechanisms inherent in the current MLAT system that are currently used to, among other things, navigate conflicts in fundamental human rights and legal safeguards that inevitably arise between countries;

seeking to encode practices that fall below minimum standards being established in various jurisdictions by ignoring human rights safeguards established primarily by the case law of the European Court of Human Rights, the Court of Justice of the European Union, the Inter-American Commission on Human Rights, the Inter-American Court on Human Rights, among others; and

including few substantial limits and instead relying on the legal systems of signatories to include enough safeguards to ensure human rights are not violated in cross-border access situations and a general and non-specific requirement that signatories ensure adequate safeguards (see Article 15 of the Cybercrime Convention).

Finally, we would urge the authors of the forthcoming protocol not to create a mandatory or voluntary direct access mechanism to obtain data from companies directly. While the CoE’s current proposals seem to be limited to subscriber data, there are serious risks that interpretation of what constitutes subscriber data might be expanded to include metadata, such as IP address.

Maryant Fernandez, EDRI’s Senior Policy Analyst and Katitza Rodriguez, EFF International Rights Director, who spoke up at Octopus, made all of these points and more. But speaking up isn’t enough. It’s imperative that civil society be present for the drafting meetings themselves, so we can fix and correct these problems as they arise. Without civil society participation, we’re concerned the proposed Protocol will lack strong data protections and critical human rights vetting mechanisms that are embedded in the current MLAT system. There are some places the long arm of the law—even the many arms of the global law enforcement Octopus—just shouldn’t reach without real oversight and meaningful safeguards.

Related Updates

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day. This year's...

Earlier this month, security researcher Victor Gevers found and disclosed an exposed database live-tracking the locations of about 2.6 million residents of Xinjiang, China, offering a window into what a digital surveillance state looks like in the 21st century. Xinjiang is China’s largest province, and home to China’s Uighurs...

[This is a guest post authored by Malkia Cyril, executive director of the Center for Media Justice. It was originally published in The End of Trust (McSweeney's 54)] In December 2017, FBI agents forced Rakem Balogun and his fifteen-year-old son out of their Dallas home. They arrested Balogun...

It’s time for governments to confront the harmful consequences of using facial recognition technology as an instrument of surveillance. Yet law enforcement agencies across the country are purchasing face surveillance technology with insufficient oversight—despite the many ways it harms privacy and free speech and exacerbates racial injustice. EFF...

Law enforcement access to data is in the middle of a profound shake-upacross the globe. States are pushing to get quicker, deeper, and more invasive access to personal data stored on the global Internet, and are looking to water down the international safeguards around privacy and due...

Throughout 2018, new surveillance practices continued to erode the privacy of people in Latin America. Yet local and regional digital rights organizations continue to push back with strategic litigation, journalists and security researchers investigate to shed light on government use of malware, and local activists work tirelessly to fight overarching...

In an era where political and corporate leaders are attacking the free press as “the enemy of the people,” it’s crucial that we recognize the truth: journalists every day are uncovering stories that protect our rights and hold those in power accountable. Meanwhile, as the media landscape shrinks, non-profits are...

Fundación Karisma, Colombia’s leading digital rights organization, just launched its fourth annual ¿Dónde Estan Mis Datos? report in collaboration with EFF. The results are even more encouraging than the ones seen in 2017, with significant improvement in transparency - five companies published transparency reports, and four publicly explained...

EFF, as part of a coalition of over sixty other human rights groups led by Human Rights Watch and Amnesty International —still have questions for Sundar Pichai, Google’s CEO. Leaks and rumors continue to spread from Google about “Project Dragonfly,” a secretive plan to create a censored, trackable...

EFF has presented its full evidentiary case that the five ordinary Americans who are plaintiffs in Jewel v. NSA were among the hundreds of millions of nonsuspect Americans whose communications and communications records have been touched by the government’s mass surveillance regimes. This presentation includes a new...